Sophos Cloud Optix
A website that makes it child’s play for iPad and iPhone owners to jailbreak their devices raises important security concerns.
The site, jailbreakme.com, exploits an iOS vulnerability to run unauthorised code on Apple customers’ iPhones and iPads, including the new iPad 2. In this way they allow users to unlock their devices, and run programs that have not been approved by the official AppStore.
Usually jailbreaking requires users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.
Sites like JailBreakMe make the process much simpler.
But if visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site’s code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone.
If they exploited the same vulnerability in a copy-cat manoeuvre, cybercriminals could create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices.
A website like JailBreakMe is making it easy to jailbreak your iPhone or iPad – but it could also be said to be giving a blueprint to malicious hackers on how to infect such devices with malware.
I don’t want to be a party pooper for those who wish to jailbreak their Apple devices, but it’s essential that Apple closes this vulnerability as quickly as possible.. before it is abused with malicious intent.
Interestingly, “Comex”, the creator of the JailBreakMe website seems to recognise that hackers might copy the exploit to use in the form of an iPad or iPhone virus. However, he attempts to deflect any responsibility in his FAQ:
"I did not create the vulnerabilities, only discover them. Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."
Apple will be furious that this vulnerability has been made public in this way, and that they have not yet got an official patch to protect their millions of users.
Sophos’s experts have added detection of the exploit code as Troj/PDFEx-ES, but as Apple does not allow anti-virus software to be listed in the official iPhone AppStore there is no on-device protection available for users.
This isn’t the first time that JailBreakMe has made it simple to jailbreak your iPhone, and taken advantage of a vulnerability to run their code. Something similar happened last year and forced Apple to issue a security patch.
All eyes now turn to Apple to see how quickly it can secure its users from this new potential vector for iPhone/iPad malware infection. Leaving a security hole like this open is simply inviting malicious hackers to exploit it.
Wasn't that PDF vulnerability supposed to be fixed in a previous iOS update ?!?!
im fairly certain this is a different vulnerability. PDF readers seem particularly hard to free of glitches and holes for some reason…
Part of the reason that PDF readers are hard to write securely is that Postscript (which makes up the majority of the internals) is actually its own executable language.
This means the PDF reader has to have a complete Postscript interpreter which is used to "run" the document (rather than just showing it like you would a text file). In effect therefore – PDFs should be considered programs rather than documents.
The best solution at this time to defend against this vuln is to jailbreak, then install the pdfpatch 2 from Cydia to close the hole on your IOS device.
I think pdf vulnerability can be fixed by installing pdf fix app from cydia after jailbreaking so that device can be secured from any further exploits.
Yep, that's is why Sophos doesn't give the full story.
"If they exploited the same vulnerability in a copy-cat maneuver, cybercriminals could create booby-trapped webpages that could — if visited by an unsuspecting iPhone, iPod Touch or iPad owner — run code on visiting devices,"
True but if you run the exploit yourself to jail break your device it actually patches the vulnerability.
I really wonder….is it worth it to jailbreak an iPod/iPhone/iPad?
Eh, the Jailbreakme site has been operating as described for a full year now. The only thing that's changed is that the exploit has been updated.
not really. jailbreakme only worked on an earlier version of iOS that has a pdf vulnerability. this version only works on 4.3. visit with other iOSes and nothing happens.
It's ironic that the best way to secure your iPhone/iPad right now is to Jailbreak it. But the commenters above are correct — currently the only known patch for this PDF exploit is the patch available from Cydia, which you can only install if you're jailbroken.
Also interesting is that this vulnerability was first discovered and published by "comex" and/or "geohot" a few days prior to the release of the iPad 2. So Apple can't really be all that furious… they've had about four months to close the vulnerability themselves.